Cannot rid myself of 680180.net adware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by yoopermjm, Aug 2, 2004.

  1. yoopermjm

    yoopermjm Private E-2

    Hello, I am new here. I have been trying for several days to rid myself of this adware which pops up new windows in explorer about every minute or two.
    I am running windows xp with broadband. I have blackice firewall installed and ez-antivirus. All are up to date, including all programs mentioned below.

    When I first got this menace I was away from the computer for lunch and when I came back my browser was inundated with these recurring pop-ups and my computer slowed to a crawl. Several programs were installed and more asked to be. I first ran ad aware and spybot. I then uninstalled every program that was installed through control panel, there were four or five of them, whose names I have long since forgotten. I then ran RegClean and rebooted, running ad-aware on start-up. I tried to delete the problem through a run regedit solution from another site called "spyany.com. No help.

    After seeing the post by Major Attitude, I did everything he asked, including updating windows, disabling system restore, checking for Network Security Service (negative), enabling hidden files (already done), and booting into safe mode.

    In safe mode I:
    ran a full virus scan with ez antivirus
    cleaned the hard drive with ccleaner
    scanned with ad aware, including the vx2 plug-in
    scanned with spybot search and destroy
    ran cwshredder
    ran kill2me
    ran about:Buster

    I then rebooted and I still have the problem. After searching this site for solutions and not finding any that help me, I downloaded hijack this, but I am not running it as you state not to do so until instructed to. I await further instructions. ANY help you can give me will be greatly appreciated. Thank you-- yoopermjm
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. yoopermjm

    yoopermjm Private E-2

    Okay.

    I did everything again as per your instructions-- still no relief.

    Attached is the hijack.txt file.

    Thanks for taking the time. I've never seen anything quite like this.

    Mike
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First we need to disable system restore to prevent this from reappearing after fixing. Read this to disable/enable system restore.

    Enable viewing of hidden files and folders for Win Explorer. While you have that open make sure the item to Hide extensions for know file types is NOT checked.

    Bring up Task Manager by hitting CTRL-ALT-DEL and select the Processes tab. Look for the tyavul.exe process and end it.

    Now click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\System32\gujfh.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    Now run HijackThis and put check marks on the following items but DO NOT click Fix until you have first exiting all Internet Explorer sessions including the one you are reading from right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: SDWin32 Class - {8AB46D8A-693A-4E19-A406-D9BCA953DE10} - C:\WINDOWS\System32\gujfh.dll
    O4 - HKLM\..\Run: [bafdvowqj] C:\WINDOWS\System32\tyavul.exe
    O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://smbusiness.dellnet.com/ (file missing) (HKCU)
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite/fvliteY.cab

    Okay! After fixing the above lines with HijackThis. Reboot into safe mode and then delete the following files using Windows Explorer:
    C:\WINDOWS\System32\gujfh.dll
    C:\WINDOWS\System32\tyavul.exe

    Reboot in normal mode and let me know how things are working. If everything is good, we will enable system restore.
     
  5. yoopermjm

    yoopermjm Private E-2

    Wow. That is amazing. That seems to do it, as I can tell within one or two minutes when the pop-ups start. Nothing now for twenty. A couple of questions before restarting system restore:

    I never found the line "O2 - BHO: SDWin32 Class - {8AB46D8A-693A-4E19-A406-D9BCA953DE10} - C:\WINDOWS\System32\gujfh.dll" and so could not delete it.

    In my earlier efforts to solve this problem, I ran msconfig and turned off all the start programs save a precious few (sorry I didn't tell you that earlier, I did so many things to try to heal this that I forgot that one). Now if I run msconfig again, there are a bunch of start-ups listed that I don't know what they are, and one I do, which has the "tyavul.exe" program in it. Obviously, I won't re-check it, but is there a way to delete it from even being a possibility in my start up menu?

    To prevent this from happening again, I will keep current and run regularly adaware and spybot. I also installed and enabled Spywareblaster. As I stated earlier, I already have ez-antivirus up and running and current, as well as blackice firewall. Is there any other precaution I can take to protect myself from this ordeal in the future?

    You have healed my computer and helped me immensely and I am very grateful. Do you take donations from those you help or is there a place I can contribute to further your efforts to protect us from these scourges?
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure that it is not just there under a new name?
    Is this file gone: C:\WINDOWS\System32\gujfh.dll

    The method I was giving you using HijackThis before was how to remove it completely.
    Follow that procedure and delete the file too. You may have to stop msconfig from disabling it first.

    SpywareGuard is good to have too. And are you using a firewall?

    No donations! Just thanks! And spread the word - Majorgeeks is great! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds